Security researchers have discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user.

Security researcher Wolfgang Ettlinger from SEC Consult Vulnerability Lab has discovered a security vulnerability in Oracle Access Manager that can be exploited by a remote attacker to bypass the authentication and take over the account of any user or administrator on affected systems.

“we will demonstrate how minor peculiarities of the cryptographic implementation had a real-life impact on the security of the product. By exploiting this vulnerability we were able to fabricate arbitrary authentication tokens, allowing us to impersonate any user and effectively break the main functionality of OAM.”

Ettlinger explained that an attacker can exploit a vulnerability in the way OAM handles encrypted messages to trick the software into accidentally disclosing information that can be used to log in impersonating other users.

The attacker can power a padding oracle attack to disclose an account’s authorization cookie, he can create a script that generates valid login keys for any desired user, including administrators.

“During a research project, we found that a cryptographic format used by the OAM exhibits a serious flaw. By exploiting this vulnerability, we were able to craft a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow us to access protected resources.” explained the expert.

“What’s more, the session cookie crafting process lets us create a session cookie for an arbitrary username, thus allowing us to impersonate any user known to the OAM.”

The following video PoC shows that an attacker can impersonate arbitrary users by triggering the flaw.